May 14, 2006

Introduction to ISA 2004

So this weekend I was invited down to the Microsoft campus in Redmond to present on an 'Introduction to ISA 2004' for the PacWest SBS UG meeting, which involved user groups from Seattle, Portland and Vancouver. (I think.. my apologies if I missed a group or two)

As promised, here is a copy of my slidedeck.

I also said I would comment on the myth that ISA sucks if you have remote management cards. You know, those out-of-band management cards like the "HP Remote Insight Lights-Out". It is true that if the SBS box fails and ISA isn't available that it could be impossible to access the card's IP address. After all ISA is down, and nothing will go through it. That's the whole point of it failing closed. That's not a bad thing.

This is one of the few times I would recommend one of those $50 Linksys/Cisco NAT devices with simple ingress filtering. You simply set it up to block ALL access except FROM a trusted IP (ie: Your office) and allow it to simply access the remote card. You could use a simple cross over cable on the LAN side of the device directly to the remote card. WALLA. Problem solved. Secure access to the OOB management card, and still utilize the benefits of ISA server.

Please consider it. Don't through away ISA over something that can be solved for less that $50 and 10 minutes of your time.

Thanks to Steve Banks and Mike Iem for asking me to come down and talk about security and how it relates to ISA. I hope you guys learned something, and above all... had fun. It was a beautiful Saturday and I appreciate you decided to stick around and listen to my drivel when you could have been cruising around in the west coast sunshine.

Posted by SilverStr at May 14, 2006 11:01 PM | TrackBack

Then again the Linksys/Cisco device can fail too.

Posted by: Patrick Ogenstad at May 14, 2006 11:59 PM

Hey - I'm no language purist, but is that well known French phrase for 'by that way' a common Canadian slang spelling?
Of any other country, I would thought that you guys would know how to spell it correctly. Or is it that you can't be bothered to add the grave accent to the letter a! LOL

Posted by: Richard Cass at May 15, 2006 05:36 AM

We just connect the management cards to the existing router and do as you say. Configure that port on the router to access to the card from our IP. This isn't an SBS specific configuration. If you want to always have access to that management card from the outside, then its got to directly connected to the Internet.

Posted by: Amy at May 15, 2006 06:07 AM


In lockdown mode, ISA has a system policy rule that allows incoming Terminal Services traffic to the firewall from a restricted set of IP addresses (the remote management computer set).

Could you compare the two solutions and what you think are the pros/cons of each?

Thanks, Ziv
(I'm actually on the ISA team)

Posted by: Ziv Caspi at May 18, 2006 05:46 AM

I have an edge router and in that configuration the Dell Remote Access Card simply sits in the quasi-dmz

Posted by: DonMurphy at May 18, 2006 09:58 AM